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To most Cybersecurity Practitioners it is a well-known fact that the reduction of Security Risks can 
only be achieved and maintained by practicing:- 


D Arigorous Vulnerability Management & Risk Assessment Program 
D Good Asset Management and Configuration Hygiene 
D Employing layered security defenses 


In this session, you will learn a proven approach towards achieving specific VMP, Security Risk and 
Compliance goals by using the Qualys Policy Compliance for Asset Configuration benchmarking, as 
well validating controls for Regulatory Compliance reguirements (SOX and PCI). 
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As described in multiple IT Frameworks, Vulnerability Management as an IT domain, 
focuses on those processes by which organizations Identify, Analyze and Manage 
Vulnerability Risk within a critical service operating environment. 


> Vulnerability Management is one of the core components of a holistic Information 
Technology Security Program but unfortunately some organizations barely give it the 
attention it deserves, so unpatched vulnerabilities continue to proliferate within. 


Much of 
priority given to Vulnerability Management and Risk remediation practices. 
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While the Cyber security threat landscape continues to evolve everyday for the worse 
and with the sophistication of threats increasing daily, Vulnerability Management 
Strategy and Practices and must adapt guickly. 


To create an effective risk-based vulnerability management program and maintain it, 
every organization must prioritize building an effective vulnerability management 
strategy to improve capabilities for managing and remediating vulnerability risks. 
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What is Vulnerability Management? (continued.) 


An effective Vulnerability Management Program strategy includes these components 


Define a 
Strategy 


Assess and Vulnerability Develop a 
Improve the Management Plan 
Capability 


Implement the 
Capability 


Define a Vulnerability Analysis and Resolution Strategy 
Develop a Plan for Vulnerability Management 

Implement the Vulnerability Analysis and Resolution Capability 
Assess and Improve the Capability 
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Vulnerability Management Life Cycle Review 


To develop an effective vulnerability management strategy, a continuous review of the 
vulnerability management life cycle is necessary to assess capabilities as shown in the 
SANS Vulnerability Management Model below. 


(1) Asset Inventory (2) Information 
Management 


(6) Respond 


(3) Risk 
Assessment 


(5) Report and 
Remediate 


(4) Vulnerability Assessment 
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D Areview of the vulnerability management lifecycle is required in order to develop an effective 
strategy and must include an assessment of security technology and tools used to identify and 
gualify vulnerability risks, as well as the different approaches to calculate how much risk is 
associated with a threat in order to determine how to mitigate, transfer, accept, or avoid the 
vulnerability. 


While there are many flavors of security technologies, a recommended best practice advocates 
making sure that both the security tools and chosen approach leverages layered capabilities, so 
thatif a defense measure fails to detect an attack, another measure or control is available to help 
prevent the attack. 
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Vulnerability Strategy & Tools Assessment — Layered Approach 


Source: J. Muniz 


CA > f Covering the Entire Attack Continuum 


Internet Y Web Content Filter ATTACK CONTINUUM 


Breach Detection 


Ø Router 


Employee Network BEFORE 
= {h 7 N RL Discover 
| a 


Enforce 


Guests Tablets Phones Harden 


Firewall VPN IPS / IDS Breach Detection 
2 ý Application FW Content Filter Anti-Virus NetFlow Analytics 
Malicious Rogue Non-compliant Security Tools 5) 


User Device id | Secure Access + Identity Services SPAM Filtering Sandbox / Honey Pots 


Security Information and Event Management 
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Vulnerability Management Life Cycle Review — Tools in DevOps 


Vulnerability Management Lifecycle in a DevOps Environment 


Source: https://www.slideshare.net/secfigo/practical-devsecops-course-part-1-82334619 


Reporting & 
Metrics 


— EN Archer GRC 


© QUALYS' 
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The capabilities of the selected tools can also be supplemented with penetration testing 
or bug bounty programs; however, the effectiveness of a vulnerability management 


program depends on how well the organization orchestrates them toward the common 
goal of reducing threats and vulnerability risks posed to the organization. 
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What is IT Asset Management? 
A process used to Identify, control, record, report, audit and verify a service 
asset and configuration items, including versions, baselines, constituent components, 


their attributes, and relationships. 


The Asset Lifecycle 
Reguested 


Disposed 
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IT Asset Management & Configuration Management Hygiene 


What is IT Asset Management & Configuration Item? 


IT Asset 


CI Lifecycle Physical Asset Lifecycle 


In Service Hardware Available 
Out of Service Software License Assigned 
ITIL Change Process Network 


Hardware Configuration Finanacial/Contractual 


Server Location License Agreements 
Memory Maintenance / Support 
Disk Space Country Professional Services 
State Lease 
City Escrow 
Proof of Purchase 


Software Configuration 


Server 
Memory 


Procurement 
Disk Space Vendors 


Purchase Order Information 

Purchase Request Link to Contracts 

Invoice Performance 
Network Configuration 


Impact Analysis 
Architecture 
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Why is IT Asset Management and Configuration Hygiene Important? 


Without a clear picture of the IT Assets which exist within an organization, there is no telling, how 
much exposure an organization has to a potential security attack. 


IT Asset Management supports a big part of the Vulnerability Management Life Cycle including IT 
Risk assessment, Vulnerability Patching, Incident Response and Change Configuration. 


All of these processes make use of the asset management data to ensure completeness and 
sound decision making. 


With asset data which is out of date, incomplete or not properly managed within the likelihood of 
an impact of security events impacting business operations are significantly elevated. 
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Within our organization we have implemented the Qualys Policy Compliance 
checks for Baseline Configuration Assessments of our;- 


— We have implemented Baseline configuration 
checks using CIS Baseline Benchmarks to create Baseline Configuration Policies for use to 
validate server image builds for adherence to IT Security Policy and Regulatory Requirements. 

using Custom Policies to 
verify our assets in scope are assessed on a weekly basis for adherence. 
to verify PCI DSS required controls configuration 
for all our PCI in scope assets. 
(Switches/Routers/Firewalls and Printers) against industry 
Configuration Baseline Benchmarks (CIS/NIST). 
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Policy Compliance Help w John Njenga (h 


Dashboard Policies Scans Reports [Exceptions Assets Users 


PC Scans | 
(New ¥ | { Search| | Fiters x 1 - 500 of 3538 


Targets Option Profile User Reference Date 


Title 


151.140.0.5-151.140.0.6, SOX Password THD_API Credential compliance/1574312606.90425 11/21/2019 


151.140.0.9-151.140.... Compliance v2 


@ Compliance SOX Unix Linux 


10.64.168.58, 10.64.169.158, SOX Password John Njenga compliance/1574227306.82117 11/20/2019 


10.64.169.161, 1... Compliance v2 
SOX Password THD API Credentia compliance/1574226204.81777 11/20/2019 


@ THD 2018 SOX In-Scope Assets Compliance Scan 


151.140.0.5-151.140.0.6, 
151.140.0.9-151.140.... Compliance v2 


@ Compliance SOX Unix Linux 
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Using Qualys Policy Compliance as a layer for Vulnerability Management 


© Qualys. Enterprise 


Policy Compliance Report November 21, 2019 


Compliance by Technology (10/22/2019-11/21/2019) 


Sox Password Policy Report Scorecard 


AIX 7.x... 


About Report Compliance Scorecard Report HPUX 11. iv 


Report Title: Compliance Scorecard Report Company: 
Created: 11/21/2019 at 08:01:05 AM Address Red Hat Enterprise Linux Sex... 


(GMT-0500 
User Name: Red Hat Enterprise Linux B.x... 
User Role: 


United States of America 


Report Settings (10/22/2019-11/21/2019) 30 Day Report 


Template: Compliance Scorecard Report Report Timeframe:10/22/2019-11/21/2019 
#of Policies: 1 Criticality: UNDEFINED, MINIMAL, MEDIUM, Passed (MEN Mailed 
SERIOUS, CRITICAL, URGENT 


Asset Groups: SOX UNIX LINUX 2014 Q4 
Asset Tags: 


DETAILS(10/22/2019-11/21/2019) 


By Technology 


Overall Compliance | omms Technology Control Passed Error Compliance 
97 error Instances Total Changed Changed % 

Across 1 Unique Policies AIXT.x 28 0 100% 

HPUX 11 iv2 84 0 100% 

P Red Hat Enterprise Linux 5.x 20 0 100% 

paced Red Hat Enterprise Linux 6.x 384 96.35% 


m aiios 
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